At Progressive Railroading's third annual Secure Rail Conference, held April 5-6 in Orlando, Fla., attendees listened to 20 presentations on topics that addressed how railroads can improve the security of assets, passengers and employees.

Starting with the event's first session, it became clear that cybersecurity risks and threats would be a primary topic addressed this year. The day opened with a panel discussion of "Railroad Cyber Risk Management," featuring speakers Nick Chodorow, chief information officer of the Belt Railway Co. of Chicago; J. Alex Lang, CIO at Carload Express Inc.; and Biff Myre, director, solutions, at OnX Managed Services Inc. Ron Schlecht, managing partner of BTB Security, served as moderator.

The conversation began with Schlecht's observation that the application of cyber technology has spread quickly through the rail industry. Although physical vulnerabilities to rail systems remain, the greatest security risk to the industry right now may be found online rather than onboard.

The industry's installation of positive train control (PTC) has led to "massive projects" to upgrade technology, Schlecht noted. The Belt Railway's entire IT footprint has expanded exponentially since the railroad began installing PTC technology along its 28 miles of mainline track in Chicago, Chodorow said.

"Now everything is IT connected," Chodorow said. "My team doesn't understand what that entirely means to be an IT-based network, so we're bringing in vendors to help us understand where our [security] vulnerabilities are and where someone might be able to get into our network. Those are things my peers would not have thought about in the past. They would have thought about things like, 'What happens if someone steals copper?' For me, I'm thinking, 'What if they get into our wireless network?' With that comes a lot of other risks."

Myre advised that railroads eager to use Internet of Things (IoT) principles to drive efficiencies also pay close attention to protecting their data, not just how to use it.

"Also, if you're dealing with a lot of industrial manufacturers, you have to ask yourself how much have they been thinking about the security of their products," he said. "Build trusted networks and [use] password protection. Otherwise, you will have to rely on every manufacturer doing it right and you need to assume it is not being done right."

Carload Express' Lang gave the short-line's perspective on cybersecurity concerns.

"For a lot of us, technology is still fairly new," said Lang. "We're crusty operations people used to doing things a certain way. The biggest cybersecurity threat for us is still the fairly broad malware and cyber attacks that take encrypted data and hold it for ransom."

Railroads should have a management response prepared for a potential data breach, Myre said.

"You have to assume that someone will get into your [data], and how you will detect it and mitigate it," he added.

Day 1 morning sessions

Other morning sessions presented during Day 1 of the conference included Jeff Watts, director of cybersecurity at RPI Group Inc., who addressed how to apply Department of Defense risk management and asset experience to the transportation sector; and Scott Carns, vice president-operations at Duos Technologies Inc., who discussed the use of multisensor technologies such as LIDAR and video analytics for detecting track safety and security at transit agencies.

The morning wrapped up with a presentation by Transportation Security Administration (TSA) inspectors Hans Hayes, Edison Velez and Ed Malinowicz, who described the purpose of the TSA Office of Security Surface Outreach, which offers railroads and transit agencies programs such as a voluntary "Baseline Assessment for Security Enhancements" (BASE). Using the assessment, the TSA will conduct a comprehensive review of an agency's overall security posture, then offer a report on how it compares with others in the industry.

After lunch, attendees returned to hear from Pamela McCombe, technical manager of transit and rail systems at WSP/Parsons Brinckerhoff, who works with SunRail. McCombe talked about the process of assessing security risks at transit agencies, and noted that each agency may have a different view of what level of risk is acceptable.

"Some may find certain circumstances acceptable and some do not," she said. "Risk management is identifying threats and vulnerabilities and then prioritizing the allocation of resources."

Security solutions for freight, passenger railroads

Later that afternoon, sessions featured Jim Lubcke, manager of systems solutions integration at CSX, and Steve Bowen, senior commercial business development manager at PacStar, who discussed the case study of a new, small form factor deployable network monitoring and analysis solution used to analyze CSX's wayside PTC network; and Northeast Logistics Systems LLC President Richard Flynn, who talked about the state of rail security post-9/11.

Lubcke, Bowen and Flynn were followed by Steven Polunsky, a research scientist at Texas A&M Transportation Institute, who described a study of the homeland security implications of the proposed bullet train operation between Dallas and Houston.

Also speaking that afternoon were Canadian Pacific Vice President and Chief Risk Officer Laird Pitz, who offered his perspective on the importance of having a corporate strategy for managing risk; and Wi-Tronix President Larry Jordan, who discussed the concept of file-less data and asset security systems of the future.

Metra Police Department Paul Riggio closed Day 1 by describing a critical response training program that his department created for Metra engineers and conductors. The program addressed how the railroad's staff should respond to an active shooter situation.

Another full day of sessions

Day 2 began with DPS Telecom's Marketing Director Andrew Erickson, who described ways to remotely monitor and control mission-critical trackside and telecom facilities. He was followed by Immanuel Triea's presentation on how to leverage internal control and audits to address cyber threats and risks. Triea is senior director of information security at Gannett Fleming Inc.

Next was Jim McKenney, who last week moved to a new position with NCC Group's transportation practice after spending the past two years as a solutions architect at CSX. McKenney's session, titled “How to Hack a Train Safely,” explored how to pick a methodology for cybersecurity testing, as well as how to share the results with a railroad's executive leadership team and the rank and file.

Ellen Linnenkamp, managing director of Strukton Rail North America, and Lex van der Poel, director at Dual Inventive, followed with their presentation on transit-rail security. They traveled from the Netherlands to give a session on how remote-controlled shunts, monitoring systems, predictive algorithms and a secured cloud system have been used to secure Amsterdam Central Station.

The remaining sessions featured:• Nick Percoco, chief information security officer at Uptake, who spoke on the importance of building a security system that protects a railroad's specific needs, rather than adapting to a system that was designed for another organization;• Gary Gordon, adjunct faculty member in security studies at the University of Massachusetts Lowell, and Richard Young, professor of supply chain management at The Pennsylvania State University at Harrisburg, who co-presented on identifying the risk factors involved with ocean containers arriving at U.S. ports, then how to develop a strategy for addressing those risks as part of intermodal service; • Mark Kraeling, product architect at GE Transportation, who discussed security fundamentals and methods that can be applied to locomotives; • CheeYee Tang, electronics engineer at the National Institute of Standards and Technologies (NIST), who described the cybersecurity testbed that NIST is developing for rail transportation systems; and• Stewart Skomra, president and chief technology officer of TeMeDa LLC, who addressed the importance of IoT in the rail and intermodal transportation corridor, as well as establishing and maintaining trust as part of doing business in those realms.